On 11/01/2016 08:31 AM, Stephen Smalley wrote: > On 11/01/2016 07:50 AM, Daniel J Walsh wrote: >> I wrote a blog http://danwalsh.livejournal.com/75282.html which talks >> about chrome sandbox and its attempt to change its parents oom_score_adj >> value. Which is labeled unconfined_t, the question has come up on >> Twitter to be able to change the label on just this object. >> >> I think we discussed this before, but how difficult would it be to >> change individual file labels under /proc/self/? > Technically feasible, already on the kernel todo list, > https://github.com/SELinuxProject/selinux/wiki/Kernel-Todo > > However, I agree with Dominick here - the parent shouldn't run in > unconfined_t in the first place. > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > Sure, We could label chrome to run as some other label,but then you end up in multiple unconfined domains running, or end up attempting to confine chrome, which is a loosing battle, in the general use case. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
